Interview: Moonpig MD James Sturrock on data security

It's been a business week defined by data breaches. Today, police have arrested a second teenager accused of hacking the personal information of millions of TalkTalk customers, while Marks & Spencer moved to take down its website for a few hours on Wednesday after shoppers started seeing other consumers' data when logging on to the portal.

Add to that the issues which surfaced at British Gas yesterday, where customers' personal login details were exposed online, and it is clear to see that cybersecurity remains one of the most pressing challenges facing enterprises today.

One company that had an IT security-related scare earlier this year was personalised cards and gifts e-tailer Moonpig, which in January was alerted to a potential vulnerability in its mobile apps by prominent developer and tech blogger Paul Price. The company did not suffer a data breach but it moved to shut down its mobile platforms for a period of time as it investigated the strength of its IT security, and worked on a number of developments to protect its customers' details.

The consequences of the exposed system flaw could have been considerably more serious, and Moonpig's new managing director James Sturrock spoke candidly to Essential Retail this week about those issues, and called on the wider retail industry to ensure data and IT security is not just a siloed department of their businesses. In today's digital landscape, he argues, the two cannot be separated.

"The mistake some businesses make around data security is that it's twin-tracked alongside a commercial strategy rather than as part of the commercial strategy," he explained.

"Some companies may choose to make decisions and prioritise whether they launch the latest innovation for customers or work on their security. Actually the thing we've done really well this year at Moonpig, and I really encourage in the teams, is view the security roadmap and the commercial roadmap as one in the same."

Last year saw Moonpig bring its app development in-house, with the company creating its very own 'App Factory' located at its headquarters in London's Southwark, where a team of developers work on new projects and evolve the company's existing propositions.

"In a way the issue in January showed we made the right decision to bring development in house because we have much more control on the whole end-to-end development," said Sturrock.

"Whether it's mobile apps, or the website, we have full control of the web code and the APIs that run between the devices and the database."

The managing director, whose background before arriving in digital retailing was in insurance and banking with companies such as Direct Line and RBS Group, said Moonpig is now fully PCI compliant "to the highest level", with all the interactions on its website now secure, and the web feed into the database now encrypted.

Having recently joined the retail industry from a financial services background, where data and data security is typically the primary consideration for businesses, Sturrock is looking to bring some of that experience to the retail boardroom.

"The breaches we've seen from various companies have been highly publicised, so we take it seriously but I don't want it to feel like it's got extra focus because we've had issues in the past – actually it's now just the way we operate," he commented.

"If you compare it to other industries like banking, it's just the way they operate. To stop this happening in the future, retailers need to do exactly that; not treat security as something you have alongside commercial. It needs to be really integrated in your other teams.

"You need to embrace expertise in the company who can see those holes before they happen. Whether you are developing new code or developing propositions for customers, you have people who can advise you as you build."

Growing business

During peak occasions Moonpig has to deal with significant jumps in web traffic. For example, in the lead-up to Mother's Day 2014 Moonpig saw 250 orders a minute and its busiest day of traffic resulted in over 270,000 unique visits to the main website. The wider Moonpig team is working on various new services and platforms that the company hopes will support growing demand, and keep it competitive versus the high street, supermarkets and other digital players, while also helping the business grow its share of the overall cards and gifting market in the coming 12 months.

These are the shared targets of Sturrock, his superiors at parent firm PhotoBox Group and the senior team at Exponent Private Equity & Electra Partners, which last week announced they were close to completing their takeover of PhotoBox Group.

Extending the order cut-off time for next-day delivery to 7pm marked the first major advancement to Moonpig's service proposition since Sturrock's arrival in the summer, and he has plans to introduce new offerings next year, in addition to developing the company's gifts and flowers department – which he says is the fastest growing part of the business. There are also major plans to continue to develop the company's mobile platforms, which now account for around 50% of all card orders, as well as improve segmentation in its email marketing to provide a more relevant digital communication channel to its customers.

"By getting loads smarter with data, of which we hold a lot here, we can be more relevant to customers and understand their behaviour and the cards they are browsing, and be smart about the gift offering we suggest on the side," he noted.

"There's lots of work we can do around relevancy and personalisation."

Amazon is often cited as the benchmark for modern, relevant retailing, but the fact the company only celebrated its 20th anniversary in 2015 underlines the nascency of the eCommerce world, which is one reason Sturrock agrees it is difficult to name any company operating in the sector that is truly achieving the personalisation goal.

"It's where retailers can grow the most. Know your customer and, without being spooky, give them what they are expecting first time. The whole industry is learning; big data is about understanding your customers and giving them what they want."

Recognisable jingle

Essential Retail put it to Sturrock that in his new position as managing director – having stepped into the hot-seat of long-serving company leader Iain Martin in May, after serving six months as chief revenue officer – he has an opportunity to take Moonpig's marketing in a new direction.

And with a new man in charge, could we be about to see the end of the familiar high-pitched TV advert jingle that Joe Public instantly associates with the retailer, among the other changes he is bringing to the business? Not so, apparently.

"TV has played such an important role in our story; you recognise the jingle, all my friends and family recognise the jingle. The jingle was the brand when we first launched, but now we have an ambition to become more relevant to people's lives – not just a novelty.

"We have sent 80 million cards to customers since we launched [in 2000] and 12 million last year. We are gaining in the number of customers that use us and a lot of them use us more than once so we are moving well out of the novelty phase and adding real value to customers' lives. Absolutely not, the jingle is not going anywhere!"